Chip-and-PIN technology has been compromised

Pierluigi Paganini August 19, 2015

A new report published by the popular investigator Brian Krebs show how cyber criminals have compromised chip-and-PIN technology.

Recently chip-and-PIN technology started to be adopted in the US because it would improve the security for the customers, merchants and financial institutions. This is true, but the problem is that when the market pushes in one direction, in this case the adoption of the chip-and-PIN technology, crooks exploit to ways to compromise it.

A new “shimmer”  was found in Mexico, “shimmer” means that a shim is between the chip of the user’s card and the chip reader in the ATM, making possible to record the data from the card while the ATM is reading it.

This new “shimmer” was exposed by Brian Krebs in his blog, the popular expert explains that no special access is required to add the hack component to the ATM, because the component is added from outside.

Chip-and-PIN technology has been compromised 2

The component that you can see was found inside a Diebold Opteva 520 with dip reader (a dip reader is a type of card reader that requires you to insert your card and remove it quickly).

This “traps” are starting to increase, and that means that the crooks need physical access to the ATM.

The new generation of traps, come equipped with a GSM module to send encrypted card data back to the crooks, and spy cameras are also installed above the ATM keyboards, of course a fake numerical keyboard installed by criminals.

Other new ways of exploiting the chip-and-PIN technology is being used by crooks consist in:

  • Using SMS to get money from ATMs using malicious codes.
  • In restaurants using an electronic soldering tool and instead of the card chip they use a phone SIM card.

The findings of the Kreb’s report demonstrate that is wrong to assume that just because you use chip-and-PIN technology you are safe.

In addition, Banks need to have a more aggressive posture when dealing with card frauds and keep in mind that Crooks are always working to take advantage of a new technology.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs – card fraud, Chip-and-PIN technology)



you might also like

leave a comment